Privacy Notices - is it enough to just publish on your website?
GDPR helps individuals to take back control of the personal data that companies like you process in order to do business and part of this is to provide individuals with minimum information when personal data is obtained.
GDPR means that there is a lot more information that we need to provide to individuals to fulfil their “right to be informed”, which includes information such as retention periods of data, details of transfers to third countries, the existence of any automated decisions as well as other information.
At Beacon we understand that providing this information is fundamental to individuals understanding what we propose to use their personal data for once we have collected it but have you also considered how you make your customers and employees aware of the existence of your Privacy Notices?
Poland's data protection agency (the UODO) issued its first fine for non-compliance with the GDPR in relation to the provision of privacy information. A fine of €220,000 was given to a company called Bisnode, for a failure to provide individuals with a privacy notice. The UODO said that it was not good enough for Bisnode to merely publish its privacy notice on its website and expect individuals to take pro-active steps to find it.
The ICO has not yet addressed the issue and very well may take a different approach, but it’s definitely food for thought. With the introduction of GDPR a lot of companies will have just updated the privacy notice online ready for “G Day”, but is this really enough? From the discussions we had at the time with the ICO their view was very much that providing that companies had the privacy notices online from 25th May 2018, then this will suffice, providing companies informed individuals at a reasonable time after this date that the privacy notice had changed.
This comes back to my the point I made in our first article regarding how at Beacon we believe that companies should comply with data protection law not just because they are obligated to, but because it is the right thing to do. So do you you just update on your website and hope that ticks all the boxes or do you put yourself in your customers / employees shoes and think “how would I like to be informed about a companies use of my data”? and approach it from that perspective?
Beacon Consultant Services can help you to make these decisions around your privacy information, please feel free to contact us by giving us a call, dropping us an email or completing a contact form or for a free no obligation health check to understand your current data protection risk.